Is This Open To SQL Injection?
Kee Nethery
kee at kagi.com
Wed Jul 7 20:14:58 EDT 2010
Yes, you SQL would be trivial to manipulate via SQL injection.
Not only do you need to validate each piece of data submitted by a user, you need to escape all the wildcard characters that your database uses. If the text string supplied by a user has quotes or parens or wildcard characters, the text could be interpreted as SQL and that is what you must avoid.
Kee Nethery
More information about the Python-list
mailing list